Integrating Xlight FTP Server with Active Directory
Xlight FTP Server can be integrated with Active Directory to authenticate users. Users can use the same user name and password to access the resources of ftp server, e-mail server etc. Note: after 30-day evaluation period, this function is only supported by the Professional edition of Xlight FTP Server.
To use Active Directory for external user authentication, you need to goto [Virtual Server Configuration]->[General]->[Virtual Server], select the option "Enable external user authentication" . Click the "Setup..." button, Active Directory must be selected in the "Authentication Type" of virtual server configuration as showed in the figure below:
When you open Active Directory setup dialog, if your server already joined the Active Directory domain, Xlight FTP Server will automatically detect your Logon Domain and Base DN. If you can not see this information, you have to set Logon Domain and Base DN manually.
If you want to only check username and password against Active Directory, you can choose the option "Only check username and password". If this option is selected, AD attribute homeDirectory will not be used also.
Setup default user profile
If you don't want to set AD attribute homeDirectory as user's FTP home directory, or if you have many AD users and don't want to set homeDirectory for each of them. You can use default user profile to setup home directory for users. This link has detail description about setup default user profile.
Setup user's home directory in the active directory
You can use Microsoft's Active Directory Users and Computers console to set user's home directory, as showed in the figure below. The AD attribute homeDirectory will be used as ftp user's home directory.
Note: When a user logins for the first time, if his home directory doesn't exist, it will be created by Xlight FTP Server automatically.
Use NTFS permission for user's home directory
When the option "Use NTFS permission for user's home directory" is selected, Xlight FTP Server will impersonate the AD account of logon ftp user. Access to his home directory will be restricted by his NTFS permission. If this option is not selected, the SYSTEM or current login user account running Xlight FTP Server will be used to access home directories of all users.
When the option "Use NTFS permission for user's home directory" is selected, but user could not access his home directory, there are two things about NTFS permission that you need to check:
1. If user authentication to the Active Directory succeeded, but in the FTP log, there was log entry such as "450 Can't change directory to /.". This is very possible a NTFS permission problem. You need to check if the account has the permission to access this directory. If home directory is a UNC path located in another remote machine, from the desktop console of that machine, you should be able to to log in by pressing "Alt+Ctl+Del" key with the same user account. After log in with this account from desktop console, check if he has enough permissions to access to the configured home directory.
2. You should not set normal user's home directory to the domain controller. Microsoft's domain security policy will not allow normally user to access resources in the domain controller. Although this user can be successfully authenticated with AD, he will not able to access his home directory in the domain controller. Only the account with administrator privilage can access his home directory in the domain controller.
Compatible with the IIS FTP active directory's user isolation mode
Xlight FTP Server provides a way to be compatible with the Active Directory user isolation mode introduced by IIS FTP Server 6.0. You can select the option "Compatible with IIS FTP active directory user isolation mode". When this option is selected, Xlight FTP Server will read and use IIS FTP AD attributes msIIS-FTPRoot and msIIS-FTPDir as user's home directory. If these IIS FTP attributes are not set or do not exist in the active directory, AD attribute homeDirectory will automatically be used as this user's home directory.
Setup public paths for ftp server
You can setup public paths for the virtual server. After authentication, all users can see and download from public paths, as showed in the figure below:
Because user's home directory in the AD implicitly uses "/" as his user virtual path, you should not use "/" for the public virtual path. Otherwise since the "/" is duplicated, when AD user logins, he can only see the content of public virtual path, not his home directory. In the above figure, we use "/public" as the public virtual path.
Use NTFS permission for FTP Server's public path
When the option "Use NTFS permission for public path" is selected, Xlight FTP Server will impersonate the logon AD account. The NTFS permission of each AD user will then be used to check against the public path access. NTFS based permission will give more flexibilities to the public path's permission control and it will override the public path's local FTP permission. However the impersonation of AD account may fail in some rare situations. If the impersonation fails, the local FTP permission of public path will be used. So if you use NTFS permission for public path access, you still need to set a proper (the least) local FTP permision for it in case for the situation that impersonation of AD account fails.
Use NTFS permission for user's group path
When the option "Use NTFS permission for group path" is selected, Xlight FTP Server will impersonate the logon AD account. The NTFS permission of each AD user will then be used to check against the local FTP group path access. After creating a local FTP group, the group path can be set in the local Xlight FTP Server.
Map a user's Active Directory group to local FTP group
When a user logons to Active Directory, in his memberOf attribute (memberOf attribute lists groups that the user is member), the first AD group with its name matched with local FTP group name will become this user's FTP group. Since Xlight version 3.8.6, when matching against local FTP group name, a user's AD primary group will always be checked before other AD groups . So if a user has multiple AD groups with the same name of local FTP groups, you can set this user's AD primary group to the one that you want him mapped to local FTP group.
- The user's AD primary group with default as "Domain Users" applies only to users who log on to the network through Services for Macintosh or to who run POSIX-compliant applications, which it is an attribute normally not used.
Set LDAP Filter to limit user search scope
Additional LDAP filter can be set to limit the user search scope, the filter must be user's LDAP attributes. For example, if you want limit user belong to Users group in the AD to login, you can use the memberOf attribute in the AD and set the LDAP search filter as memberOf=CN=Users,CN=Builtin,DC=ad-test-domain,DC=com
Create and allow anonymous user to access the ftp server
When users are authenticated againest in the active directory, you may want to allow anonymous user who can use any password to access the ftp server. Because users in the active directory must have password, anonymous user can not be created in the active directory.
However, you can create a user with username "anonymous" in the local ftp server and select the option "Bypass the external authentication" in his settings([User settings]->[Account]->[Option for external authentication]), as showed in the picture below. The local ftp user will bypass the external authentication and be authenticated againest the local ftp server. His settings will come from the local ftp server also.
Troubleshooting Active Directory problems
If you have problems integrating Xlight FTP Server with Active Directory, you can select the external user authentication option "Show debug trace information in Error Log". After selecting this option, the Active Directory debug information for Xlight FTP Server will be written to the Error log.
The following are two common configuration mistakes with Active Directory:
1. The normal user's home directory should not locate in the domain controller. Because the default domain security policy by Microsoft will prohibit normal user from logging on to domain controller and access files in it. So normal user can be authenticated to AD, but he will not be bale to access files in the domain controller. User need to have the interactive log on permission to domain controller to access files in it. If you want to use user home directory in domain controller, the link at http://technet.microsoft.com/en-us/library/cc785165(WS.10).aspx has steps to change default domain security policy.
2. When running Xlight FTP Server in older Windows OS, for example Windows 2000, the account running Xlight program must have the "Act As Part Of The Operating System" (SE_TCB_NAME) privilege. Otherwise the Active Directory user will not be able to access his home directory. The (SE_TCB_NAME) privilege can be set in Local Security Policy mmc snap-in under LocalPolicies/User Righs Assignments. This problem is caused by a OS restraint before Windows XP. So for Windows OS after and including Windows XP, there is no need to assign this privilege for account running Xlight FTP program.
How to install extended schema xlightFTPdUser in the Active Directory
There is another option "Use extended schema "xlightFTPdUser"". It will provide many Xlight FTP Server related options by using extended schema xlightFTPdUser. You can click here to check what options are provided by extended schema xlightFTPdUser.
Please note: The following steps are optional. If you don't want to use options of xlightFTPdUser schema, you can skip steps below.
When this option is selected, the attribute homeDirectory of user objectfrom AD will be not be used as FTP home directory. Instead ftpHomeDirectory from extended schema xlightFTPdUser will be used for this user's FTP home directory.
Before using this option, extended schema xlightFTPdUser must be installed in the Active Directory. The procedure is showed in the below.
To install schema xlightFTPdUser, first you need to open file AD-xlightFTPdUser.ldif and replace all DC=X with your domain as showed in the figure below. AD-xlightFTPdUser.ldif can be found under the ldap directory in the place where Xlight FTP Server is installed.
Save the file AD-xlightFTPdUser.ldif. You can use the tool ldifde.exe to import schema xlightFTPdUser into Active Directory as showed in the figure below. You have to logon as doamin administrator to do operations below.
If above operation is succeeded, you can use MMC to check if schema xlightFTPdUser is imported successfully as showed in the figure below:
In the MMC Snap-in, select Active Directory Schema and click the "Add" button then the "Close" button as showed in the figure below:
If you can see auxiliary object class xlightFTPdUser in the window below, the schema xlightFTPdUser is imported successfully.
You can use ADSI Edit to modify Xlight FTP Server options for users in the Active Directory. ADSI Edit can be found in the Windows Support Tools from the product CD or downloaded from Microsoft web site. From MMC Snap-in window, add ADSI Edit as showed in the figure below:
Connect to Active Directory with ADSI Edit. Select the CN=Users, you will find users in the right side panel. Select the user you want to set Xlight FTP Server related options as showed in the figure below:
Press the right button of mouse; click the menu item "Properties". From the dialog box, select and edit Xlight FTP Server related options as showed in the figure below. These attributes are all started with letters "ftp". You only need to add attributes you want to use. When you add the attribute ftpHomeDirectory, if the option "Use NTFS permission for user's home directory" is not selected, you need to add the attribute ftpHomePerm to control the permission of ftpHomeDirectory.
You should now be able to use Schema xlightFTPdUser and set Xlight FTP Server related ftp options for this user.
Setup virtual paths for a ftp user
From Xlight FTP Server version 3.5, you can setup multiple virtual paths for a user through the attribute ftpVirtualPaths of xlightFTPdUser schema. The string for "ftpVirtualPaths" is the "|" separated combination of virtual path, real path and permission, as showed in the figure below. Its format is "virtual path | real path | permission". An example virtual path string can be "/files/ | C:\Downloads\ | RLS----", where the "/files/" is the virtual path, "C:\Downloads\" is the real path mapped to "/files/", "R--L--S" is permission flag of "/files/". Virtual path, real path and permission are separated by "|".You can refer to the description of "ftpHomePerm" for the meaning of each permission flag. Note: Virtual path must be UNIX style path and real path must be Windows style path.
The variable %username% can be used for real path. %username% will be replaced with the actual user name after user logins. If the real path doesn't exist when user logins, Xlight FTP Server will create it automatically.